I am getting packet segments in two parts.I am able to see it in wireshark as tcp reassembled.After searching on google i found out about dont fragment bit set for fragmented data.but it is not set even for fragmented data.i am using java jnetpcap library to get the packets but i am not able figure out on what fields and flags should i wait for to reassemble the tcp packet.some times the packet is coming at once if i run on VM but some times its fragmented.i need a way to figure out reassembling the packet.
Asked
Active
Viewed 1,328 times
0
-
Of course it is 'not set even for fragmented data'. Otherwise the data couldn't have been fragmented. – user207421 Nov 09 '14 at 22:58
1 Answers
0
Fragmentation can occur at many laters in the protocol. It can occur in IP, with an IP datagram being fragmented into multiple IP datagrams, and it can occur in protocols running atop TCP.
The "Don't fragment" bit is an IP bit. The packet segmentation you're seeing is at the TCP layer; that segmentation is completely separate from the fragmentation that happens at the IP layer.
IP reassembly is fairly easy to do in a packet analysis program; all the data you need in order to reassemble fragments is available in the IP protocol headers of the fragments.
TCP reassembly is NOT as easy to do. The abstraction TCP provides to protocols running on top of TCP is a sequenced stream of octets (bytes); there are no packet boundaries. A packet, or other multi-byte structure, sent over TCP could arbitrarily be broken into TCP segments at any point in the packet.
This means that TCP reassembly in a packet analysis program requires that the code that understands TCP segments and the code that understands the protocol running atop TCP to cooperate. See, for example, the tcp_dissect_pdus() routine in Wireshark's packet-tcp.c file, and the code in its req_resp_hdrs.c file.
-
if incomplete packets arrive at the destination there might be a way find that its next packet is supposed to come after.how can we identify it? i have seen this answer http://stackoverflow.com/questions/4481914/reassembling-tcp-segments .But when i see it in wireshark its not getting seq no as given in the answer. – saifjunaid Nov 10 '14 at 08:19
-
The answer to the question "Does wireshark use Ack to know what segments belong to each other?" is *NO*. As I already said, TCP itself provides *NO* information to indicate what bytes in the TCP byte stream are part of which higher-level packets; not only can a higher-level packet be split between two separate TCP segments, but a TCP segment can contain part or all of multiple packets. Until you understand why it is *impossible* to do reassembly based only on data in the TCP header, you will be incapable of writing code to do reassembly of packets for protocols running atop TCP. – Nov 10 '14 at 17:24